OSX Sandboxing for include file interference during build


A while a go I posted about the use of the OSX built-in sandbox for protecting against unwanted file or network accesses.

Sometime I perform Windows cross-compilation by using Docker (e.g. dockercros) or more typically directly using cmake under OSX.

In both cases there is the chance that the cmake scripts of a library are not behaving correctly in the lookup of dependencies and create interference with the system include files (e.g. /usr/include and /usr/local/include). The OSX sandbox comes handy allowing to block the access to one or more directories.

This is the OSX sandboxing script I am using:

(version 1)
(deny default)
(allow sysctl-read)
(allow signal)
(allow process-exec)
(allow process-fork)
(allow mach* sysctl-read)
(allow file-read* (regex "^.*"))
(deny file-read* (regex "^/usr/local/include.*") (regex "^/usr/include.*"))
(allow file-write* (regex (string-append "^/tmp/.*")) (regex (string-append "^" (regex-quote (param "target")) ".*")) )

The sandbox profile has first a close-all rule, then opens many things. I had to open all the file read operations and then restrict again because of the many paths accessed by cmake and the build tools. 

As done in the previous script I have parametrized the sandbox by some path that is specified by the launching script below (hideincludes.sh):

#/bin/bash
target=$1
shift 1
P=$(dirname $(realpath -s ${BASH_SOURCE[0]}))
sandbox-exec -f $P/hideincludes.sb -Dtarget=$target $*

Then it is possible to easily launch the script for testing: 

hideincludes.sh $(pwd) bash
ls /usr/local/include
>>ls: /usr/local/include: Operation not permitted

CMake and make worked smoothly in performing the build.

The scripts are on gist

Comments

Popular Posts